Viscosity VPN on macOS blocks non-Apple app traffic

Question

I will try to describe the issue the best that I can... but the real problem is, I have no idea what could be causing this.

I have a VPN set up, which is being used to access a company server (intranet + network drives). The server has no internet access, so split tunneling is used.

Until yesterday, everything worked fine on my 2020 M1 MacBook Pro – 13.2 Ventura. I was using Tunnelblick, which was not very fast, but fairly reliable.

Then I tried to update Tunnelblick, which broke it irreversibly (stuck in a loop on install / launch.)

So I installed Viscosity – and this is where it gets super bizarre: When I connect to the VPN, Chrome and other apps seemingly cannot resolve DNS's properly

But through the terminal, everything seems fine – and even Safari works flawlessly! (connects to intranet, WWW, everything works just fine)

Network drives also connect and work just fine.

Suspecting that this is a permission issue, which Apple apps override, I tried through root user (my normal account is admin level) and on root, everything works perfectly – all apps can access the WWW and the intranet perfectly.

So, uh...any ideas?

(Short of doing a clean macOS install, I have tried seemingly everything, I spent a full day on the issue with Google, ChatGPT, our IT department etc. before giving up.)

[Terminal outputs follow]

VPN on:

ping

vasekrych@Vaclav-MacBook-Pro ~ % sudo ping google.com
PING google.com (142.251.37.110): 56 data bytes
64 bytes from 142.251.37.110: icmp_seq=0 ttl=117 time=27.302 ms
64 bytes from 142.251.37.110: icmp_seq=1 ttl=117 time=20.465 ms
64 bytes from 142.251.37.110: icmp_seq=2 ttl=117 time=12.443 ms
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.443/20.070/27.302/6.073 ms

vasekrych@Vaclav-MacBook-Pro ~ % sudo ping seznam.cz 
PING seznam.cz (77.75.77.222): 56 data bytes
64 bytes from 77.75.77.222: icmp_seq=0 ttl=55 time=27.136 ms
64 bytes from 77.75.77.222: icmp_seq=1 ttl=55 time=13.984 ms
64 bytes from 77.75.77.222: icmp_seq=2 ttl=55 time=13.753 ms
--- seznam.cz ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 13.753/18.291/27.136/6.255 ms

vasekrych@Vaclav-MacBook-Pro ~ % sudo ping news.greenpha.local
PING news.greenpha.local (10.0.1.12): 56 data bytes
64 bytes from 10.0.1.12: icmp_seq=0 ttl=63 time=10.873 ms
64 bytes from 10.0.1.12: icmp_seq=1 ttl=63 time=9.514 ms
64 bytes from 10.0.1.12: icmp_seq=2 ttl=63 time=10.276 ms
--- news.greenpha.local ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.514/10.221/10.873/0.556 ms

scutil

vasekrych@Vaclav-MacBook-Pro ~ % scutil --dns
DNS configuration

resolver #1
  search domain[0] : greenpha.local
  search domain[1] : home
  nameserver[0] : 8.8.8.8
  nameserver[1] : 8.8.4.4
  nameserver[2] : 2001:4860:4860::8888
  nameserver[3] : 2001:4860:4860::8844
  flags    : Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #2
  domain   : greenpha.local
  nameserver[0] : 10.0.0.5
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)
  order    : 101800

resolver #3
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #4
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #5
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #6
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #7
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #8
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : home
  nameserver[0] : 8.8.8.8
  nameserver[1] : 8.8.4.4
  nameserver[2] : 2001:4860:4860::8888
  nameserver[3] : 2001:4860:4860::8844
  if_index : 13 (en7)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #2
  search domain[0] : home
  nameserver[0] : 8.8.8.8
  nameserver[1] : 8.8.4.4
  nameserver[2] : 2001:4860:4860::8888
  if_index : 11 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #3
  search domain[0] : greenpha.local
  nameserver[0] : 10.0.0.5
  if_index : 19 (utun10)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

cat

vasekrych@Vaclav-MacBook-Pro ~ % sudo cat /etc/resolv.conf
Password:
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
search greenpha.local home
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 2001:4860:4860:0:0:0:0:8888
nameserver 2001:4860:4860:0:0:0:0:8844

host

vasekrych@Vaclav-MacBook-Pro ~ % sudo host google.com
google.com has address 142.251.36.78
google.com has IPv6 address 2a00:1450:4014:80b::200e
google.com mail is handled by 10 smtp.google.com.

vasekrych@Vaclav-MacBook-Pro ~ % sudo host seznam.cz 
seznam.cz has address 77.75.79.222
seznam.cz has address 77.75.77.222
seznam.cz has IPv6 address 2a02:598:a::79:222
seznam.cz has IPv6 address 2a02:598:2::1222
seznam.cz mail is handled by 10 mx1.seznam.cz.
seznam.cz mail is handled by 20 mx2.seznam.cz.

vasekrych@Vaclav-MacBook-Pro ~ % sudo host news.greenpha.local 
Host news.greenpha.local not found: 3(NXDOMAIN)

dig

vasekrych@Vaclav-MacBook-Pro ~ % sudo dig google.com          

; <<>> DiG 9.10.6 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59744
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     36  IN  A   142.251.36.142

;; Query time: 78 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 25 23:56:11 CEST 2023
;; MSG SIZE  rcvd: 55

vasekrych@Vaclav-MacBook-Pro ~ % sudo dig seznam.cz              

; <<>> DiG 9.10.6 <<>> seznam.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41765
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;seznam.cz.         IN  A

;; ANSWER SECTION:
seznam.cz.      19  IN  A   77.75.77.222
seznam.cz.      19  IN  A   77.75.79.222

;; Query time: 74 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 25 23:56:22 CEST 2023
;; MSG SIZE  rcvd: 70

vasekrych@Vaclav-MacBook-Pro ~ % sudo dig news.greenpha.local 

; <<>> DiG 9.10.6 <<>> news.greenpha.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23497
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;news.greenpha.local.       IN  A

;; AUTHORITY SECTION:
.           86396   IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2023072502 1800 900 604800 86400

;; Query time: 74 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 25 23:56:31 CEST 2023
;; MSG SIZE  rcvd: 123

nslookup

vasekrych@Vaclav-MacBook-Pro ~ % sudo nslookup google.com     
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   google.com
Address: 142.251.36.142

vasekrych@Vaclav-MacBook-Pro ~ % sudo nslookup seznam.cz
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   seznam.cz
Address: 77.75.79.222
Name:   seznam.cz
Address: 77.75.77.222

vasekrych@Vaclav-MacBook-Pro ~ % sudo nslookup news.greenpha.local
Server:     8.8.8.8
Address:    8.8.8.8#53

** server can't find news.greenpha.local: NXDOMAIN

VPN off:

ping

vasekrych@Vaclav-MacBook-Pro ~ % sudo ping google.com
PING google.com (142.251.37.110): 56 data bytes
64 bytes from 142.251.37.110: icmp_seq=0 ttl=117 time=34.201 ms
64 bytes from 142.251.37.110: icmp_seq=1 ttl=117 time=15.227 ms
64 bytes from 142.251.37.110: icmp_seq=2 ttl=117 time=19.628 ms
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 15.227/23.019/34.201/8.109 ms

vasekrych@Vaclav-MacBook-Pro ~ % sudo ping seznam.cz 
PING seznam.cz (77.75.77.222): 56 data bytes
64 bytes from 77.75.77.222: icmp_seq=0 ttl=55 time=35.463 ms
64 bytes from 77.75.77.222: icmp_seq=1 ttl=55 time=124.522 ms
64 bytes from 77.75.77.222: icmp_seq=2 ttl=55 time=27.554 ms
--- seznam.cz ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 27.554/62.513/124.522/43.966 ms

vasekrych@Vaclav-MacBook-Pro ~ % sudo ping news.greenpha.local
ping: cannot resolve news.greenpha.local: Unknown host

vasekrych@Vaclav-MacBook-Pro ~ % sudo ping 10.0.1.12          
PING 10.0.1.12 (10.0.1.12): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
Request timeout for icmp_seq 11
Request timeout for icmp_seq 12
--- 10.0.1.12 ping statistics ---
14 packets transmitted, 0 packets received, 100.0% packet loss

scutil

vasekrych@Vaclav-MacBook-Pro ~ % scutil --dns
DNS configuration

resolver #1
  search domain[0] : home
  nameserver[0] : 8.8.8.8
  nameserver[1] : 8.8.4.4
  nameserver[2] : 2001:4860:4860::8888
  nameserver[3] : 2001:4860:4860::8844
  flags    : Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : home
  nameserver[0] : 8.8.8.8
  nameserver[1] : 8.8.4.4
  nameserver[2] : 2001:4860:4860::8888
  nameserver[3] : 2001:4860:4860::8844
  if_index : 13 (en7)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #2
  search domain[0] : home
  nameserver[0] : 8.8.8.8
  nameserver[1] : 8.8.4.4
  nameserver[2] : 2001:4860:4860::8888
  if_index : 11 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

cat

vasekrych@Vaclav-MacBook-Pro ~ % sudo cat /etc/resolv.conf
Password:
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
search home
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 2001:4860:4860:0:0:0:0:8888
nameserver 2001:4860:4860:0:0:0:0:8844

host

vasekrych@Vaclav-MacBook-Pro ~ % sudo host google.com
google.com has address 142.251.36.110
google.com has IPv6 address 2a00:1450:4014:80e::200e
google.com mail is handled by 10 smtp.google.com.

vasekrych@Vaclav-MacBook-Pro ~ % sudo host seznam.cz
seznam.cz has address 77.75.77.222
seznam.cz has address 77.75.79.222
seznam.cz has IPv6 address 2a02:598:2::1222
seznam.cz has IPv6 address 2a02:598:a::79:222
seznam.cz mail is handled by 10 mx1.seznam.cz.
seznam.cz mail is handled by 20 mx2.seznam.cz.

vasekrych@Vaclav-MacBook-Pro ~ % sudo host news.greenpha.local 
Host news.greenpha.local not found: 3(NXDOMAIN)

dig

vasekrych@Vaclav-MacBook-Pro ~ % sudo dig google.com

; <<>> DiG 9.10.6 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27355
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     211 IN  A   142.251.36.110

;; Query time: 79 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 26 00:05:41 CEST 2023
;; MSG SIZE  rcvd: 55

vasekrych@Vaclav-MacBook-Pro ~ % sudo dig seznam.cz

; <<>> DiG 9.10.6 <<>> seznam.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57275
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;seznam.cz.         IN  A

;; ANSWER SECTION:
seznam.cz.      9   IN  A   77.75.79.222
seznam.cz.      9   IN  A   77.75.77.222

;; Query time: 73 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 26 00:05:45 CEST 2023
;; MSG SIZE  rcvd: 70

vasekrych@Vaclav-MacBook-Pro ~ % sudo dig news.greenpha.local

; <<>> DiG 9.10.6 <<>> news.greenpha.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45331
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;news.greenpha.local.       IN  A

;; AUTHORITY SECTION:
.           86398   IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2023072502 1800 900 604800 86400

;; Query time: 74 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 26 00:05:54 CEST 2023
;; MSG SIZE  rcvd: 123

nslookup

vasekrych@Vaclav-MacBook-Pro ~ % sudo nslookup google.com
Server:     8.8.4.4
Address:    8.8.4.4#53

Non-authoritative answer:
Name:   google.com
Address: 142.251.36.110

vasekrych@Vaclav-MacBook-Pro ~ % sudo nslookup seznam.cz
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   seznam.cz
Address: 77.75.79.222
Name:   seznam.cz
Address: 77.75.77.222

vasekrych@Vaclav-MacBook-Pro ~ % sudo nslookup news.greenpha.local
Server:     8.8.8.8
Address:    8.8.8.8#53

** server can't find news.greenpha.local: NXDOMAIN

Common ones

ls

vasekrych@Vaclav-MacBook-Pro ~ % ls -l /etc/resolv.conf     
lrwxr-xr-x  1 root  wheel  22 14 led  2023 /etc/resolv.conf -> ../var/run/resolv.conf